Managing session secrets for continuous packet capture systems
Abstract
Embodiments are direct to monitoring communication between computers may be using network monitoring computers (NMCs). Network packets that are communicated between the computers may be captured and stored in a data store. If the NMCs identify a secure communication session established between two computers, the NMCs may obtain key information that corresponds to the secure communication session that includes a session key that may be provided by a key provider. Correlation information associated with the secure communication session may be captured by the NMCs. The correlation information may include tuple information associated with the secure communication session. And, the key information and the correlation information may be stored in a key escrow. The key information may be indexed in the key escrow using the correlation information.
Claims
exact text as granted — not AI-modifiedWhat is claimed as new and desired to be protected by Letters Patent of the United States is:
1. A method for monitoring communication over a network between one or more computers, with one or more network monitoring computers (NMCs) that perform actions, comprising:
continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules;
employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite;
obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session;
providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session;
storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information;
providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets stored in the data store and their associated key information in the secure communication session based on the correlation information;
providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and
choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters.
2. The method of claim 1 , further comprising, when a query is provided to the key escrow, performing further actions, including:
employing the query to provide a result set that includes query result correlation information and query result key information;
providing one or more captured network packets from the data store based on the query result correlation information; and
decrypting the one or more captured network packets based on the query result key information.
3. The method of claim 1 , wherein the key provider is a secret sharing engine executing on the one or more computers, or a network hardware security module.
4. The method of claim 1 , wherein the correlation information further comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL) session identifier, one or more tuples, one or more client-server random values, or one or more digest values comprised of one or more fields of one or more network packets comprising the secure communication session.
5. The method claim 1 , wherein the correlation information, further comprises:
other information based on one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
tuple information for a network connection flow that corresponds to the secure communication session based on a match of one or more portions of the correlation information and one or more portions of the key information.
6. The method of claim 1 , further comprising:
providing one or more previously captured network packets that are associated with one or more secure communication sessions;
providing key information that is associated with the one or more previously captured network packets based on the correlation information that is associated with the one or more previously captured network packets; and
decrypting the one or more previously captured network packets using the key information.
7. The method of claim 1 , further comprising, when network packets associated with the key information and the correlation information are absent from the data store, discarding the key information and the correlation information.
8. The method of claim 1 , further comprising:
providing one or more previously captured encrypted network packets that are associated with one or more secure communication sessions;
providing key information that is associated with the one or more previously captured encrypted network packets based on the correlation information that is associated with the one or more previously captured network packets; and
enabling one or more services or applications to access the one or more previously captured encrypted network packets and the associated key information.
9. A system for monitoring communication over a network between one or more computers comprising:
one or more network monitoring computers (NMCs), comprising:
a transceiver that communicates over the network;
a memory that stores at least instructions; and
one or more processors that execute instructions that perform actions, including:
continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules;
employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite;
obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session;
providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session;
storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information;
providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets and their associated key information in the secure communication session based on the correlation information; providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters; and
the one or more computers, comprising:
a transceiver that communicates over the network;
a memory that stores at least instructions; and
one or more processors that execute instructions that perform actions, including:
providing the plurality of network packets.
10. The system of claim 9 , further comprising, when a query is provided to the key escrow, performing further actions, including:
employing the query to provide a result set that includes query result correlation information and query result key information;
providing one or more captured network packets from the data store based on the query result correlation information; and
decrypting the one or more captured network packets based on the query result key information.
11. The system of claim 9 , wherein the key provider is a secret sharing engine executing on the one or more computers, or a network hardware security module.
12. The system of claim 9 , wherein the correlation information further comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL) session identifier, one or more tuples, one or more client-server random values, or one or more digest values comprised of one or more fields of one or more network packets comprising the secure communication session.
13. The system of claim 9 , wherein the correlation information, further comprises:
other information based on one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
tuple information for a network connection flow that corresponds to the secure communication session based on a match of one or more portions of the correlation information and one or more portions of the key information.
14. The system of claim 9 , wherein the NMCs one or more processors execute instructions that perform actions, further comprising:
providing one or more previously captured network packets that are associated with one or more secure communication sessions;
providing key information that is associated with the one or more previously captured network packets based on the correlation information that is associated with the one or more previously captured network packets; and
decrypting the one or more previously captured network packets using the key information.
15. The system of claim 9 , wherein the NMCs one or more processors execute instructions that perform actions, further comprising, when network packets associated with the key information and the correlation information are absent from the data store, discarding the key information and the correlation information.
16. The system of claim 9 , wherein the NMCs one or more processors execute instructions that perform actions, further comprising:
providing one or more previously captured encrypted network packets that are associated with one or more secure communication sessions;
providing key information that is associated with the one or more previously captured encrypted network packets based on the correlation information that is associated with the one or more previously captured network packets; and
enabling one or more services or applications to access the one or more previously captured encrypted network packets and the associated key information.
17. A processor readable non-transitory storage media that includes instructions for monitoring communication over a network between one or more computers, wherein execution of the instructions by one or more processors on one or more network monitoring computers (NMCs) performs actions, comprising:
continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules;
employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite;
employing the one or more NMCs identify a secure communication session established between two of the one or more computers;
obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by a key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session;
providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session;
storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information;
providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets and their associated key information in the secure communication session based on the correlation information; and
providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and
choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters.
18. The media of claim 17 , further comprising, when a query is provided to the key escrow, performing further actions, including:
employing the query to provide a result set that includes query result correlation information and query result key information;
providing one or more captured network packets from the data store based on the query result correlation information; and
decrypting the one or more captured network packets based on the query result key information.
19. The media of claim 17 , wherein the key provider is a secret sharing engine executing on the one or more computers, or a network hardware security module.
20. The media of claim 17 , wherein the correlation information further comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL) session identifier, one or more tuples, one or more client-server random values, or one or more digest values comprised of one or more fields of one or more network packets comprising the secure communication session.
21. The media of claim 17 , wherein the correlation information, further comprises:
other information based on one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
tuple information for a network connection flow that corresponds to the secure communication session based on a match of one or more portions of the correlation information and one or more portions of the key information.
22. The media of claim 17 , further comprising:
providing one or more previously captured network packets that are associated with one or more secure communication sessions;
providing key information that is associated with the one or more previously captured network packets based on the correlation information that is associated with the one or more previously captured network packets; and
decrypting the one or more previously captured network packets using the key information.
23. The media of claim 17 , further comprising, when network packets associated with the key information and the correlation information are absent from the data store, discarding the key information and the correlation information.
24. A network monitoring computer (NMC) for monitoring communication over a network between one or more computers, comprising:
a transceiver that communicates over the network;
a memory that stores at least instructions; and
one or more processors that execute instructions that perform actions, including:
continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules;
employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite;
obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session;
providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session;
storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information;
providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets and their associated key information in the secure communication session based on the correlation information; and providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters.
25. The NMC of claim 24 , further comprising, when a query is provided to the key escrow, performing further actions, including:
employing the query to provide a result set that includes query result correlation information and query result key information;
providing one or more captured network packets from the data store based on the query result correlation information; and
decrypting the one or more captured network packets based on the query result key information.
26. The NMC of claim 24 , wherein the key provider is a secret sharing engine executing on the one or more computers, or a network hardware security module.
27. The NMC of claim 24 , wherein the correlation information further comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL) session identifier, one or more tuples, one or more client-server random values, or one or more digest values comprised of one or more fields of one or more network packets comprising the secure communication session.
28. The NMC of claim 24 , wherein the correlation information, further comprises:
other information based on one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
tuple information for a network connection flow that corresponds to the secure communication session based on a match of one or more portions of the correlation information and one or more portions of the key information.
29. The NMC of claim 24 , further comprising:
providing one or more previously captured network packets that are associated with one or more secure communication sessions;
providing key information that is associated with the one or more previously captured network packets based on the correlation information that is associated with the one or more previously captured network packets; and
decrypting the one or more previously captured network packets using the key information.
30. The NMC of claim 24 , further comprising, when network packets associated with the key information and the correlation information are absent from the data store, discarding the key information and the correlation information.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.